Given its potential to cause significant financial, reputational, legal, and operational damage, cyber risk is an existential issue for businesses worldwide.
Indeed, recent attacks have shown how devastating and far-reaching the consequences of these attacks can be: in a recent Cybersecurity Advisory issued by the U.S. Department of the Treasury, it was reported that U.S. banks and financial institutions processed roughly $1.2 billion in ransomware payments in 2021, a new record and almost three times the amount in the prior year.
Ramping up cyber defenses
It’s critical that organizations respond accordingly. Beyond ramping up investment in their cyber defenses, organizations must also find ways to understand cyber risk itself. Business leaders and boards need to know how to accurately measure, quantify and mitigate firmwide cyber risk and exposure and, importantly, integrate their learnings across the business to inform key strategy decisions.
In addition, boards should make informed decisions about security initiatives, budget allocation, supply chain risk, investor confidence, and operating transparently with regulators and market participants – and the potential exposure that cyber risks may present in each area of its overall strategy.
Who’s responsible for addressing cyber risk?
Of course, IT and security teams have traditionally been responsible for protecting organizations from cyber-attacks. But, given how cyber threats originate across an organization’s front line, these teams cannot tackle cyber risks alone.
Many teams across an organization should proactively integrate cyber risk metrics into their risk assessment and decision-making – whether they are deciding to work with a new vendor, extending a line of credit, underwriting an insurance policy or conducting compliance checks during onboarding.
What’s measured can be better managed
Without a means to measure third-party cybersecurity risk, organizations are more exposed to the cross-business impacts of poor third-party cybersecurity, including operational disruption, financial penalties, legal consequences, and third-party breaches. Given the significant financial and operational consequences of a cyber-attack, it’s vital that third-party cybersecurity performance is monitored and feedback is integrated into cross-business risk assessments. Here, Moody’s can help organizations to assess complex, interconnected risks and make more informed decisions, by providing a holistic view of third-party cyber risk.
“As we continue to see cyber-related losses rise across industries, it is imperative for our clients to better understand, measure and mitigate cyber risk,” says Matt McDonald, Managing Director, Moody’s Analytics.
Matt continues, “We are delighted to enhance our integrated risk assessment capabilities with the introduction of Cyber Risk Ratings by BitSight in our Orbis and Catalyst solutions to help our customers fortify operational resilience and support the growth of their businesses.”
“Cybersecurity risk is a critical and necessary input into an integrated risk framework,” adds Derek Vadala, Chief Risk Officer at BitSight. “The integration of our industry leading analytics into the Orbis and Catalyst solutions will enable Moody’s Analytics customers to incorporate cybersecurity risk factors into their diligence and monitoring workflows. Our partnership with Moody’s Analytics further enables customers to holistically manage the cybersecurity risk posed by their extended ecosystem of customers, vendors and investments.”